Reply to Re: if I allow anyone on the web to run SQL queries against my database, what are the obvious attacks hackers will try? — PHP Programming Language

Posted by Geoff Berrow on 04/13/06 09:55

Message-ID: <1144909681.379717.249460@t31g2000cwb.googlegroups.com> from
lawrence k contained the following:

>The function that returns this checks to query to see if it contains
>the words ALTER, DROP, EMPTY, GRANT, UPDATE, INSERT, and a bunch of
>others. It calls die() if it sees any of those words.

The general advice seems to be to ban everything that is not allowed
rather than to allow anything which is not banned.

I think I'd construct the query in code from the input variables, after
having sanitised the input using mysql_real_escape_string()

--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/

[Back to original message]

Удаленная работа для программистов • Как заработать на Google AdSense • England, UK • статьи на английском • PHP MySQL CMS Apache Oscommerce • Online Business Knowledge Base • DVD MP3 AVI MP4 players codecs conversion help

Home • Search • Site Map • Set as Homepage • Add to Favourites

Сайт изготовлен в Студии Валентина Петручека —
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация